While the news of massive cyberattacks against major organizations worldwide make the headlines on a daily basis, thousands of small and medium organizations are targeted by cybercriminals even more often.
Unlike large companies, small and medium businesses (SMBs) are more exposed to cyberattacks for multiple reasons, including the lack of investment in cyber defence and the lack of cyber risk awareness.
According to the Small Business Guide to Cyber Security, a whopping 76% of cyberattacks hit businesses with under 100 employees. Cybercriminals consider small businesses easy targets, and in many cases they are targeted because they are involved in the supply chain of major organizations.
A cyberattack can have a dramatic impact on small organizations – most of them go out of business within a few months of a security breach.
The report also reveals that the average cyberattack costs smaller businesses $3,533 per employee and takes 206 days on average to identify a risk and another 73 days to contain it.
The increased presence online is enlarging the surface of attacks and can expose small and medium businesses to greater risks. The top threats for small organizations include malware attacks (especially ransomware), data breaches, phishing attacks, and identity theft.
Many small organizations that are victims of ransomware attacks opt to pay the ransom. In most cases, the ransom is smaller than $10,000, but there is no guarantee that the encrypted data will be recovered.
Most attacks on SMBs go unreported
According to the Verizon Business Data Breach Investigation Report (DBIR), small and medium-sized businesses were at an especially high risk of data breaches and cyberattacks during the ongoing pandemic.
Looking at the number of reported attacks, you might think that big companies are victims of more cyberattacks. This data is not correct.
Many small businesses simply don’t report a security breach or they don’t know that they’ve been the victim of a cyberattack, because they don’t have a security solution in place to identify one.
Most small organizations have no access to solutions to monitor their infrastructure and protect their assets from cyberattacks. This situation is getting worse due to the level of sophistication of the attacks and the rapid diffusion of the crimeware-as-a-service model that allows less-skilled attackers to easily arrange their malicious campaigns.
The biggest cybersecurity risk for small businesses, however, is represented by the human factor. Threat actors could exploit the employees’ lack of knowledge about cyber threats to target them. Other cybersecurity risks are represented by data: the exposure of the organization’s data could have a severe impact on its operations and the reputation of the organization and its members. Infrastructure risk is another threat, as every unprotected device could represent an entry point for attackers who can access the organization networks and perform malicious activities.
How to protect small business from cyberattacks?
The Australian Cyber Security Centre (ACSC) has published a set of recommendations on how small businesses can better protect themselves from cyberattacks and disruptions, especially during the COVID-19 pandemic.
The key actions provided by the ACSC to prevent many malicious actors from being successful include:
- Watch out for scam emails (phishing) and don’t open attachments or click on links included in unsolicited messages.
- Update your software and operating systems
- Use strong passphrases and don’t share them round.
- Enable multi-factor authentication.
- Back up your data and store it separately from the computer.
However, the above suggestions are not enough to protect small businesses if they fail in adopting security measures for the protection of personal data that are the result of the implementation of a risk-based approach. It is essential for small organizations to understand the context of personal data processing operations and subsequently assess the associated security risks.
Unfortunately, risk analysis is not easy to carry out for small businesses due to their specific characteristics, such as limited resources and funds, unavailability of staff with specific skills, specific sectoral regulatory provisions, and limited awareness of cyber risk.
The “Guidelines for SMEs on the security of personal data processing” published by ENISA proposes an approach to risk management based on the following four steps:
- Definition of the processing operation and its context. In this phase, the organization assesses the data processed, systems involved, and their relevant context.
- Understanding and evaluation of impact. In this phase, the business evaluates the potential impact of each risk on the operations of the organization, the rights and freedoms of individuals, and the data processing system.
- Definition of possible threats and evaluation of the threat occurrence probability. In this phase, the organization analyses the threats related to the overall environment of personal data processing (external or internal) and assesses their likelihood (threat occurrence probability).
- Evaluation of risk (combining threat occurrence probability and impact). In this phase, the business evaluates the risk by analyzing the impact of the personal data processing operation and the relevant threat occurrence probability.
Only after the risk level has been evaluated, the organization can select and implement the appropriate security measures, which could be organizational and technical.
At the end of the day, however, we need a cultural change to protect small organizations. Information sharing and awareness on cyber threats are the pillars of the right approach, and this change has to be promoted and sustained by governments.